It's time to adopt a cyber-savvy culture

Your cybersecurity training isn’t resonating with your people. Here’s why, according to the results of PwC’s Workforce Pulse Survey.

One click on a suspicious link. A company computer connected to public WiFi without a VPN. A password scribbled on a sticky note and left on a desk. 

These small employee missteps can expose organizations to huge cyber risks. But while most employees are aware of cyber theft and other digital dangers, our latest Workforce Pulse Survey shows that most don’t grasp the devastating consequences a data breach or other attack could have on their company, on society — or even on themselves. 

PwC surveyed more than 1,100 American workers nationwide during the week of July 14, 2020. The results reveal a sobering reality for business leaders: The communication and training they offer on cybersecurity and cyber acumen aren’t resonating with employees. Most workers have little awareness of how their employers are protecting them or their company from hackers, ransomware, phishing or other attacks. In some cases, employees are even flouting security rules by downloading unsecure apps or sharing their work device with family members. 

At a time when 61% of CISOs and CIOs say they’re seeing an increase in risks from the use of non-enterprise devices and software due to more people working remotely, there’s a clear opportunity for leaders to make cybersecurity part of their broader safety agenda for employees. Leaders need to double down on targeted communications and training, enforce policies and embed effective controls. Most of all, they must convince their people that practicing good cybersecurity habits will do more than help the company and its multiple stakeholders — it will also help protect their digital lives both at work and at home.

Employees are worried about cyber attacks — but not as much as they should be

Most employees are worried on some level about the dangers of cyber attacks. Their concerns center around the potential impacts to their privacy, such as the exposure of personal information like Social Security numbers, rather than on consequences for the company. But only 22% are very worried about personal financial loss from an attack, and just 15% say they’re very worried about their emails being exposed.

Some employees may simply assume that their company has strong measures in place to protect their information. In fact, 75% of respondents say they trust their employer more than they trust tech companies to keep their personal information safe. But employees may not be aware that many attacks on organizations aren’t necessarily targeting the company. Instead, they’re aimed at stealing employee data, such as salary and retirement information, health status and other personal information. 

Employees and their devices have become the primary gateway to cyber incidents and breaches in recent years — whether through social engineering, malware or hacking. The cost of breaches is borne by individuals as much as by corporations. So communication and training should include information that helps employees understand the ramifications cyberattacks can have on them personally, as well as on the company.

It may also help to highlight the broader societal risks. The effects of even a single successful cyber attack can ripple well beyond company walls to harm citizens and communities. Hijacked social media accounts, misinformation campaigns, compromised consumer data, tax scams, and government systems held hostage by cybercriminals and nation-state actors erode public trust and can cause lasting damage.


Company impacts
Showing strongly and somewhat worried


Financial loss to the company
%
Losses for other stakeholders
%
Public disclosure of my emails
%
Loss of company intellectual property
%
Damage to company brand and reputation
%

Personal impacts
Showing strongly and somewhat worried


Exposure of personal data to third parties
%
Impacts on my career
%
Personal financial loss due to unauthorized access to pay or retirement data
%
Inability to work and deliver
%
Unauthorized access to my health data
%

Source: PwC Workforce Pulse Survey
July 14-16, 2020: Base 1,071
Q: How worried are you about each of the following occurring as a result of breaches of personal and company data at work?

The security measures you’re taking aren’t connecting with your people

Even before the COVID-19 pandemic, leaders were investing in security measures aimed at preventing cyber attacks and improving cyber acumen, including adding more training for their entire workforce. Nearly 70% of CISOs and CIOs say they increased security training as a result of COVID-19. In contrast, only 30% of employees say their employer offered training on the dos and don'ts of protecting company and personal digital assets, data and information.

Less than a third say their employer provided devices so they could work outside the office without having to use their personal devices. And only 23% say their firm provided a compelling case for why employees need to have good data security habits. Meanwhile, CISOs and CIOs report strong positive impacts from investments to secure remote work (such as authenticating employees accessing their networks and managing mobile devices and other endpoints beyond corporate networks), as well as investments in real-time threat detection and intelligence.

Granted, some of these measures, like screening for potential attacks, take place behind the scenes, outside of most employees’ daily activities. This helps explain why employees may not appreciate all the near-misses security teams prevent every day, because only a few big breaches make headlines. But the lack of awareness around more visible tactics, such as enhanced policies or additional training, indicates that the efforts leaders are making to help increase their employees’ cyber acumen simply aren’t resonating.


Employees unaware of company security measures


Required authentication of my identity to access to corporate networks/data
%
Offered training on protecting digital assets, data and information
%
Provided devices for work outside the office
%
Reinforced policies in the event of a security issue
%
Provided a compelling case for why I need to have good data security habits
%
Approved the use of new software or apps
%
Screened potential attacks to decrease the chances of my being a victim
%
Allowed my personal devices to access corporate networks and data
%
Reduced disruptions or long wait times to connect to corporate networks and data
%
Tracked whether I am storing or sending work-related information on my personal devices
%
Nudged me with pop-up cybersecurity awareness tips
%

Source: PwC Workforce Pulse Survey
July 14-16, 2020: Base 1,071
Q: To the best of your knowledge, has your employer taken any of the following actions to protect personal and company data, either before or since the start of the pandemic? Please check all that apply.

Millennials and Gen Zers blur the lines

In general, the majority of employees surveyed say they’re acting in cyber-protective ways, such as using their corporate-approved devices and apps for work purposes only. But some employees — specifically Millennials and Gen Z workers — could be raising risk levels for their organizations. PwC’s survey found that these groups are more likely to let friends and family use their work computer for games, online shopping or other personal activities. More than half (51%) of Millennials and 45% of Gen Zers say they use apps and programs on their work devices that their employer has expressly prohibited.

What’s driving this divergence? It could be frustration at what these two groups view as overly burdensome security restrictions — or simply a desire to use apps that make it easier to do their jobs, even if those apps aren’t approved by their company. Employees want the same fast, convenient, frictionless tech experience they have in their personal lives to happen at work, too. But the user experience of enterprise technology isn’t always as seamless as it could be. And with so many people working from home, the need for reliable, user-friendly apps and programs that enable collaboration, creativity and communication has never been higher.


Some groups may introduce risks


All respondents
Millennials (ages 24-39)
Gen Zers (ages 18-23)
I should be allowed to take more risks with new apps in return for greater ease of use
%
%
%
I find it burdensome and restrictive to comply with all the security guidelines of my organization
%
%
%
I use popular programs and apps on my work devices that my employer has expressly asked us not to use
%
%
%
I let my family or friends use my work devices
%
%
%
I only use my corporate-approved devices and apps for work purposes
%
%
%

Source: PwC Workforce Pulse Survey­
July 14-16, 2020: Base 1,071­
Q: How much do you agree or disagree with each of the following statements?
Showing strongly or somewhat agree.

Employees fear retribution if they raise a security risk

Mistakes happen, and hackers continue to find new ways to get into corporate systems. Even the most stringent security measures can’t prevent every employee from accidentally responding to a phishing email or visiting a website that secretly allows access to company systems. It’s critical for employees to alert their employers as soon as possible when an issue arises, but the majority of employees say they’re not comfortable doing that. Just 26% of respondents strongly agree that they can escalate a security incident they may have caused without fear of reprisal. 

It’s important to reinforce the message that it’s okay to elevate a security risk. Consider implementing a zero-tolerance policy on retribution or creating a channel for people to report security risks anonymously. The more willing people are to report a risk, the faster you can identify and contain the fallout. 

 

Employees reluctant to raise risks
Source: PwC Workforce Pulse Survey
July 14-16, 2020: Base 1,071
Q: How much do you agree or disagree with the following statement? I can escalate a security incident I may have caused with my employer without fear of reprisal.

Action plan for CHROs, CIOs and CISOs

  • Protect your people’s digital lives. You’re not just protecting company assets, you’re also protecting your employees, your stakeholders and society. Tap into your employees’ trust in you. 
  • Become role models for cyber-savvy habits. Raise expectations that tech and digital sophistication includes strong cyber acumen.
  • Elevate cyber acumen in your digital upskilling program. Award certifications or badges that can be recognized in the talent market. Encourage those who are “certified” to become ambassadors to help others develop their cyber acumen.
  • Introduce incentives and rewards for cyber-savvy habits and cyber-compliant behaviors. Consider gamification techniques that have been proven to reinforce continuous learning.
  • Adjust your messaging, communication and awareness training so it resonates with employees’ concerns about personal loss, rather than focusing on implications for the company.
  • Consider the user experience when choosing technology and designing policies. Involve employees to get their input, especially with emerging or fast-changing apps. The better the experience is for your employees, the less likely they will be to download substitute apps or programs that may introduce risk.
  • Take advantage of modern security controls using powerful techniques such as zero trust (going beyond simply protecting the perimeter) and real-time detection and response, which is informed by behavioral science and powered by AI.
  • Consider offering identity theft management to employees as part of your benefits strategy.

About the PwC Workforce Pulse Survey

PwC conducted an online survey of 1,118 U.S.-based adults from a general population between July 14 and 16, 2020. The PwC Workforce Pulse Survey is conducted on a periodic basis to track changing sentiment and priorities among employees. View the June 15, 2020 survey.

Contact us

Bhushan Sethi

Bhushan Sethi

Principal, Joint Global Leader, People and Organization, PwC US

Carrie  Duarte

Carrie Duarte

Workforce of the Future Leader, PwC US

Joseph Nocera

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Emily Stapf

Emily Stapf

Cybersecurity, Privacy & Forensics Integrated Solutions Leader, PwC US